Victor Duchovni <[EMAIL PROTECTED]> writes:

>Wouldn't the old root also (until it actually expires) verify any
>certificates signed by the new root? If so, why does a server need to send
>the new root?

Because the client may not have the new root yet, and when they try and verify
using the expired root the verification will fail.

(There's a lot of potential further complications in there that I'm going to
 spare people the exposure to, but that's the basic idea).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to